{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0974", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-15T01:29:25.748Z", "datePublished": "2026-02-19T04:36:21.529Z", "dateUpdated": "2026-05-16T00:50:30.856Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-05-16T00:50:30.856Z"}, "affected": [{"vendor": "orderable", "product": "Orderable \u2013 Restaurant & Food Ordering System", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.20.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Orderable \u2013 WordPress Restaurant Online Ordering System and Food Ordering Plugin plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the 'install_plugin' function in all versions up to, and including, 1.20.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins, which can lead to Remote Code Execution."}], "title": "Orderable <= 1.20.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b97d2b63-7eaa-4518-b838-35d4b993743d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/orderable/trunk/inc/vendor/iconic-onboard/inc/class-ajax.php#L111"}, {"url": "https://plugins.trac.wordpress.org/changeset/3465392/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "timeline": [{"time": "2026-02-18T15:44:21.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T01:33:12.853927Z", "id": "CVE-2026-0974", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T01:33:27.120Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0974", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-24T01:33:12.853927Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T01:33:23.103Z"}}], "cna": {"title": "Orderable <= 1.20.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "orderable", "product": "Orderable \u2013 Restaurant & Food Ordering System", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.20.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-18T15:44:21.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b97d2b63-7eaa-4518-b838-35d4b993743d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/orderable/trunk/inc/vendor/iconic-onboard/inc/class-ajax.php#L111"}, {"url": "https://plugins.trac.wordpress.org/changeset/3465392/"}], "descriptions": [{"lang": "en", "value": "The Orderable \u2013 WordPress Restaurant Online Ordering System and Food Ordering Plugin plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the 'install_plugin' function in all versions up to, and including, 1.20.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins, which can lead to Remote Code Execution."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-05-16T00:50:30.856Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0974", "state": "PUBLISHED", "dateUpdated": "2026-05-16T00:50:30.856Z", "dateReserved": "2026-01-15T01:29:25.748Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-19T04:36:21.529Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Orderable \u2013 WordPress Restaurant Online Ordering System and Food Ordering Plugin plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the 'install_plugin' function in all versions up to, and including, 1.20.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins, which can lead to Remote Code Execution."}, {"lang": "es", "value": "El plugin Orderable \u2013 WordPress Restaurant Online Ordering System and Food Ordering Plugin para WordPress es vulnerable a la instalaci\u00f3n no autorizada de plugins debido a una comprobaci\u00f3n de capacidad faltante en la funci\u00f3n 'install_plugin' en todas las versiones hasta la 1.20.0, inclusive. Esto permite a atacantes autenticados, con acceso de nivel Suscriptor y superior, instalar plugins arbitrarios, lo que puede llevar a la ejecuci\u00f3n remota de c\u00f3digo."}], "id": "CVE-2026-0974", "lastModified": "2026-05-16T01:16:15.797", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-19T07:17:42.700", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/orderable/trunk/inc/vendor/iconic-onboard/inc/class-ajax.php#L111"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3465392/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b97d2b63-7eaa-4518-b838-35d4b993743d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.20.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Orderable \u2013 WordPress Restaurant Online Ordering System and Food Ordering Plugin", "source": "cna", "vendor": "orderable"}, "product": "orderable_\u2013_wordpress_restaurant_online_ordering_system_and_food_ordering_plugin", "vendor": "orderable"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 75.0, "confidence_source": "inferred", "scores": [{"score": 75.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T17:03:00.119732+00:00", "value": {"mitigation_remediation": ["Upgrade Orderable to a version newer than 1.20.0 that removes the missing capability check.", "Audit the WordPress installation for other plugins or functions that allow unauthorized actions and apply updates or patches as available.", "Restrict the Subscriber role by disabling plugin installation capabilities or enforce least privilege so that only Administrator users can install plugins."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution via unauthorized plugin installation"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Orderable \u2013 WordPress Restaurant Online Ordering System and Food Ordering Plugin from the Orderable vendor, specifically all releases up to version 1.20.0. Administrators and subscribers on affected WordPress sites using these versions are at risk.", "description_and_impact": "The Orderable WordPress plugin fails to verify user permissions when performing the install_plugin action, allowing any user with Subscriber-level access or higher to upload and activate arbitrary plugins. The lack of a capability check can lead to Remote Code Execution if a malicious plugin is installed. This flaw is categorized as Missing Authorization (CWE-862).", "risk_and_exploitability": "With a CVSS base score of 8.8, the flaw represents a high severity risk. The EPSS indicates a low probability of exploitation at this time, and the vulnerability is not part of the CISA Known Exploited Vulnerabilities catalog. Nevertheless, because the technique only requires a Subscriber role \u2013 a common role on many WordPress installations \u2013 an attacker could easily exploit the flaw if credentials are compromised or if social engineering succeeds. The likely attack vector is an authenticated user who leverages the plugin installation endpoint without proper authorization checks."}}}}, "created": "2026-02-19T10:06:58.080000+00:00", "updated": "2026-04-15T17:15:10.604581+00:00", "vendors": ["orderable", "orderable$PRODUCT$orderable_\u2013_wordpress_restaurant_online_ordering_system_and_food_ordering_plugin", "wordpress", "wordpress$PRODUCT$wordpress"]}